1 |
On Mon, 2002-06-24 at 07:51, Kim Nielsen wrote: |
2 |
|
3 |
> No .. since --sport would be the client port and not the actual port of |
4 |
> the service |
5 |
> |
6 |
> example: |
7 |
> |
8 |
> You create a http request to gentoo.org and this is what happens |
9 |
> |
10 |
> 1. get ip for gentoo.org (64.57.168.198) |
11 |
> 2. allocate a client port |
12 |
> 3. send request from <ip>:<port> (Source) to 64.57.168.198:80 |
13 |
> (Destination) |
14 |
> |
15 |
> The http server on gentoo.org says: |
16 |
> 1. I got a request on port 80 |
17 |
> 2. send request back to <ip>:<port> |
18 |
> |
19 |
> And if the firewall is install it checks the allowed chains if anyone is |
20 |
> allowed to send packets to port 80 (The servers port 80, destination |
21 |
> port) .. |
22 |
[SNIP] |
23 |
|
24 |
|
25 |
> if you where to use sport instead of dport you would only allow the |
26 |
> packet if the user sends from client port 80 which is very unlikely |
27 |
> since ports below 1024 is privileged ports |
28 |
|
29 |
I'm sorry ..you are right .. I misunderstood your last mail it will be |
30 |
corrected as soon as possible |
31 |
|
32 |
/Kim |